From 004ecbb78fadae72d4ebb9ad0c46198fce6bdf27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Wed, 19 Jan 2022 13:55:30 +0100
Subject: [PATCH] feat: add Check_MK Service for Mojolicious vulnerability

---
 .../plugins/check_subapp_ws_status.sh.j2      | 58 ++++++++++++-------
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/templates/usr/lib/check_mk_agent/plugins/check_subapp_ws_status.sh.j2 b/templates/usr/lib/check_mk_agent/plugins/check_subapp_ws_status.sh.j2
index b73ee07..956fb18 100755
--- a/templates/usr/lib/check_mk_agent/plugins/check_subapp_ws_status.sh.j2
+++ b/templates/usr/lib/check_mk_agent/plugins/check_subapp_ws_status.sh.j2
@@ -9,11 +9,27 @@ set -e
 # The webservice uses the HTTP-Statuscodes 200, 204, 404 and 500.
 
 LOCKFILE="/var/lock/check_subapp_ws_status.lock"
-itemname='subapp_ws.run_status'
-URL="http://${HOSTNAME}.{{ vault_subapp_webservice_domain | default('localdomain') }}:{{ vault_subapp_webservice_port }}/heartbeat"
+itemname_heartbeat='subapp_ws.run_status'
+itemname_mainpage='subapp_ws.info_reveal'
+URL_HEARTBEAT="http://${HOSTNAME}.{{ vault_subapp_webservice_domain | default('localdomain') }}:{{ vault_subapp_webservice_port }}/heartbeat"
+URL_MAINPAGE="http://${HOSTNAME}.{{ vault_subapp_webservice_domain | default('localdomain') }}:{{ vault_subapp_webservice_port }}"
 
 # IMPORTANT: Create lockfile using "flock", NOT "touch"!!! It's atomic and doesn't have to be cleared after the script ran.
-output=$( flock ${LOCKFILE} curl --silent --location --head --max-time 10 --write-out "%{http_code}\n" "${URL}" --output /dev/null )
+output_heartbeat=$( flock ${LOCKFILE} curl --silent --location --head --max-time 10 --write-out "%{http_code}\n" "${URL_HEARTBEAT}" --output /dev/null )
+output_mainpage=$( flock ${LOCKFILE} curl --silent --max-time 10 "${URL_MAINPAGE}" )
+
+# details: https://git.slub-dresden.de/slub-digitalpreservation/submissionapplications4rosetta/-/issues/117
+if [[ ${output_mainpage} =~ "/mojo/noraptor.png" ]]; then
+	status_mainpage=0
+	perf_values_mainpage="-"
+	statustext_mainpage="Webservice doesn't reveal any confidential information. Great!"
+else
+	status_mainpage=2
+	perf_values_mainpage="-"
+	statustext_mainpage="Webservice reveals confidential information via Mojolicious. OH NOES!!! Check deployed version."
+fi
+
+echo "${status_mainpage} ${itemname_mainpage} ${perf_values_mainpage} ${statustext_mainpage}"
 
 #EXEMPLARY OUTPUT:
 # HTTP/1.1 204 No Content
@@ -24,29 +40,29 @@ output=$( flock ${LOCKFILE} curl --silent --location --head --max-time 10 --writ
 # 204		### <===== HERE'S THE HTTP CODE, THE REST IS DISCARDED TO /dev/null
 
 # https://de.wikipedia.org/wiki/HTTP-Statuscode
-if [[ ( ${output} -ge 200 ) && ( ${output} -le 226 ) ]]; then
+if [[ ( ${output_heartbeat} -ge 200 ) && ( ${output_heartbeat} -le 226 ) ]]; then
 	# Webservice should return HTTP 204 "No Content" if heartbeat is alive
-	status=0
-	perf_values="-"
-	statustext="WebService is available (HTTP ${output} status code)."
-elif [[ ( ${output} -ge 400 ) && ( ${output} -le 451 ) ]]; then
-	status=2
-	perf_values="-"
-	statustext="WebService is NOT available (Client side error HTTP-${output})."
-elif [[ ( ${output} -ge 500 ) && ( ${output} -le 511 ) ]]; then
-	status=2
-	perf_values="-"
-	statustext="WebService is NOT available (Server side error HTTP-${output})."
+	status_heartbeat=0
+	perf_values_heartbeat="-"
+	statustext_heartbeat="WebService is available (HTTP ${output_heartbeat} status code)."
+elif [[ ( ${output_heartbeat} -ge 400 ) && ( ${output_heartbeat} -le 451 ) ]]; then
+	status_heartbeat=2
+	perf_values_heartbeat="-"
+	statustext_heartbeat="WebService is NOT available (Client side error HTTP-${output_heartbeat})."
+elif [[ ( ${output_heartbeat} -ge 500 ) && ( ${output_heartbeat} -le 511 ) ]]; then
+	status_heartbeat=2
+	perf_values_heartbeat="-"
+	statustext_heartbeat="WebService is NOT available (Server side error HTTP-${output_heartbeat})."
 else
-	status=3
-	perf_values="-"
+	status_heartbeat=3
+	perf_values_heartbeat="-"
 	if [[ ! "$( systemctl status webservice_status_SLUBarchiv.service )" =~ "enabled" ]]; then
-		statustext="SystemD-Unit for Webservice is DISABLED."
+		statustext_heartbeat="SystemD-Unit for Webservice is DISABLED."
 	elif [[ $( systemctl status webservice_status_SLUBarchiv.service | grep "Active: inactive (dead)" ) ]]; then
-		statustext="SystemD-Unit for Webservice is STOPPED."
+		statustext_heartbeat="SystemD-Unit for Webservice is STOPPED."
 	else
-		statustext="Couldn't get WebService status (perhaps timeout occurred)."
+		statustext_heartbeat="Couldn't get WebService status (perhaps timeout occurred)."
 	fi
 fi
 
-echo "${status} ${itemname} ${perf_values} ${statustext}"
+echo "${status_heartbeat} ${itemname_heartbeat} ${perf_values_heartbeat} ${statustext_heartbeat}"
-- 
GitLab